| ▲ | SnuffBox 2 days ago |
| I find it bizarre that Google can just ask for a feature to be removed from standard and nobody bats an eye. |
|
| ▲ | johncolanduoni 2 days ago | parent | next [-] |
| To be fair, some things should be legitimately considered to be removed from the standard. O.G. XHTML basically mandated that you accept XML logic bombs and we got over that. Also, while this is certainly Google throwing their weight around, I don’t think they are doing it for monetary advantage. I’m not sure how removing XSLT burnishes their ad empire the way things like nerfing ManifestV3 have. I think their stated reasons - that libxslt is a security disaster zone for an obscure 90s-era feature - is earnest even if its not actually in the broader web’s best interests. Now that Safari is publicly on board to go second, I suspect it’s an inevitability. |
| |
| ▲ | Mikhail_Edoshin a day ago | parent [-] | | XML "logic bombs" happens when the parser expand entities eagerly. If a parser does that one can easily assemble an enormous entity that will eat up all the memory. But a more sophisticated parser won't expand entities right away and thus can merely reject oversized ones. It is really a minor issue. | | |
| ▲ | johncolanduoni 18 hours ago | parent [-] | | There were other esoteric XML logic bomb inducing features is my recollection from all the stuff you used to have to change on the default XML Java parsers, but this was like 20 years ago so I may be misremembering. | | |
| ▲ | Mikhail_Edoshin 8 hours ago | parent [-] | | I myself only remember the possible misuse of disk/URL reading features. These were indeed features and were added by design, but, of course, enabling them in non-trusted input could lead to all sorts of disasters. |
|
|
|
|
| ▲ | notpushkin 2 days ago | parent | prev | next [-] |
| If I understand correctly, Mozilla and Apple don’t really want to support it either. And the reason for that is, the spec is still at XSLT 1.0, which is super old, and current implementations are effectively abandonware. Catch-22? |
| |
| ▲ | johncolanduoni 2 days ago | parent | next [-] | | I believe the spec is at XSLT 3.0 but no browser actually implemented past XSLT 1.0 (not 100% sure - almost nobody cared about this feature last month so hard to find good docs on support). HTML5 and C++ are cut from the same cloth - massive and no reference implementation so full of features that have been “standard” for 10 years but never implemented by anyone. | | |
| ▲ | notpushkin 2 days ago | parent | next [-] | | Yeah, sorry, the XSLT spec is at 3.0 right now of course, but the browsers don’t implement it, and the WHATWG HTML Living Standard only mentions XSLT 1.0. | |
| ▲ | arccy 2 days ago | parent | prev [-] | | even outside of browsers barely anything supports XSLT newer than 1.0 |
| |
| ▲ | ekianjo 2 days ago | parent | prev [-] | | The spec is at XLST 3 right now. | | |
|
|
| ▲ | esrauch 2 days ago | parent | prev | next [-] |
| It doesn't seem weird at all to me: standard is essentially the consensus of the major browser vendors; a spec which all of Chrome, Safari and Edge don't implement is really just a hypothetical. The origin story of whatwg is that Apple, Mozilla and Opera decided that W3C wasn't making specs that they wanted to implement, so they created a new working group to make them. |
|
| ▲ | chrismorgan 2 days ago | parent | prev | next [-] |
| > nobody bats an eye I’ve seen a lot of eye-batting about this. Although Google, Mozilla and Apple are all in favour of removing it, there’s been a lot of backlash from developers. |
| |
| ▲ | johncolanduoni 2 days ago | parent [-] | | Most of whom had never heard of XSLT before today - some were likely born after it had faded into obscurity. I don’t blame people for hating Google for whatever reason, but this is a weird way to try to stick it to them. | | |
| ▲ | sunaookami a day ago | parent | next [-] | | XSLT is widely used, for example by the US congress: https://simonwillison.net/2025/Aug/19/xslt/ | | |
| ▲ | lucumo a day ago | parent [-] | | Neither you nor the blog posts author had heard of that before that ridiculous GitHub issue from yesterday. You're all using the exact same link to the exact same page. This is intellectual dishonesty from you, the blog post author and the issue reporter. Anyone who has read the response to the reporter knows that this is a cherry-picked alternative format. The normal format is an HTML5 page. Search engines just return that instead, so the only way to have found this page is by clicking through that. | | |
| ▲ | sunaookami a day ago | parent [-] | | So "it doesn't matter because other people already posted this example"? | | |
| ▲ | johncolanduoni 18 hours ago | parent | next [-] | | I think their point was that for everything the US congress makes available through client-rendered XSLT, they already also do the transformation on their side and serve the HTML under another page. Which I think is part of Google’s point - you can just compile the XSLT offline once (or during your release process) and provide the same experience without rewriting anything. | |
| ▲ | lucumo a day ago | parent | prev [-] | | Is your intellectual dishonesty professional, or just a hobby? | | |
|
|
| |
| ▲ | ndriscoll a day ago | parent | prev [-] | | More likely the people complaining are those who use it. I've been using it as the sane way to template my personal stuff for ~20 years. It works very well for "hand written" sites. I'm also not trying to be a top site or even visible to the wider world; my audience is my friends and family members. So to me it's a clear "that's not an important use case for the web now" signal. |
|
|
|
| ▲ | TiredOfLife a day ago | parent | prev | next [-] |
| Mozilla asked for removal. Google just filled the paperwork |
|
| ▲ | ekianjo 2 days ago | parent | prev [-] |
| Even "champion of the web" Mozilla is on board. Tells you exactly what you need to know. |
